www.belgium.be Logo of the federal government

Warning: critical RCE vulnerability CVE-2023-33308 in FortiOS and FortiProxy products, Patch Immediately!

Advisory #2023-80
Affected software: 
FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.10
FortiProxy version 7.2.0 through 7.2.2
FortiProxy version 7.0.0 through 7.0.9
Remote Code Execution (RCE)



Fortiguard Labs - https://www.fortiguard.com/psirt/FG-IR-23-183


Exploitation of CVE-2023-33308 allows a remote unauthenticated attacker to execute code that can have a total impact on the confidentiality, integrity and availability of the targeted systems. The complexity of the attack is low and user interaction is not required.

At the time of writing, there is no proof of exploitation in the wild. Previous FortiOS flaws like this one were heavily exploited by threat actors in the past to gain initial access to the network to conduct data theft and ransomware attacks.

A previous vulnerability, CVE-2023-27997, in FortiOS SSL-VPN also showed the significant patch lag that exists with FortiOS appliances. Researchers kept finding thousands of unpatched devices after one month of the patches being available.

Unpatched critical vulnerabilities that can be exploited remotely without any required authentication and low attack complexity are particularly interesting for threat actors. Therefore, remediating CVE-2023-33308 is strongly advised.


CVE-2023-33308 is a critical stack-based overflow vulnerability that allows a remote attacker to reach proxy and firewall policies by executing arbitrary code or command via crafted packets.

FortiGuard explicitly mentions that following product versions are not affected:

  • FortiOS 6.4 all versions
  • FortiOS 6.2 all versions
  • FortiOS 6.0 all versions
  • FortiProxy 2.x all versions
  • FortiProxy 1.x all versions

A workaround is also described in the advisory, advising to disable HTTP/2 support on SSL inspection profiles with proxy mode, that is used by proxy and firewall policies.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends system administrators to patch the affected systems after thorough testing. If patching is not immediately an option, follow the vendor's instructions to mitigate the vulnerability.


Bleeping Computer - https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critica...